The act of fishing is nearly as old as humanity itself. Over centuries, fishing has evolved from a purely subsistence activity to one many enjoy as a leisure pursuit. The ‘fishing for fun’ crowd can be divided into two primary cohorts: deep sea fishermen and freshwater fishermen.

Beyond the basic act, these two groups are strikingly different. Deep-sea fishing requires a high level of skill and experience, the ability to navigate unpredictable waters, and highly durable equipment appropriate for harsher conditions and stronger, more aggressive fish. The potential rewards are rare and valuable catches, but the effort and risk to attain those are immense. Conversely, freshwater fishing happens in calmer waters with access to readily available fish. The experience is more relaxing, making it ideal for beginners. While the catch may be less spectacular, the ease of access is undeniable.

While seemingly unrelated to cybersecurity, this analogy perfectly portrays how threat actors categorize organizations. From a hacker’s perspective, an ‘attractive’ target is the equivalent of a deep-sea expedition that can yield valuable treasures (intellectual property and sensitive data). An ‘easy’ target is akin to a day spent fishing on a lake, producing a small haul without much effort (lower ransoms, for example). Regardless of which one your company is, there’s a high probability your waters (infrastructure) are about to be fished.

With some insight into why attackers view your organization as attractive or easy, you can strengthen your defenses and catch them as soon as they cast a line, likely using a phishing email as bait.

Attractive Targets: A High-Risk, High-Reward Proposition

Skilled threat actors with access to sophisticated tools and advanced techniques are drawn to organizations that offer significant rewards, even if the effort required to bypass robust security measures and associated risks are equally high for attackers. Attractive targets typically possess one or more of the following characteristics:

Valuable Information: Organizations with intellectual property (IP), such as patents, trade secrets, or proprietary technologies, are prime targets. Threat actors view these assets as gold and may be engaged in espionage, state-sponsored crimes, or looking to collect a hefty ransom.

Sensitive Customer Data: Organizations holding personally identifiable information (PII) like social security numbers, credit card details, or medical records are attractive targets for data breaches. The fallout from having this data published on the dark web could be enough to ensure a company quietly pays a ransom.

Critical Business Continuity: Organizations that cannot afford a disruption because they provide essential or life-dependent services, such as government agencies, hospitals, or utility companies, are alluring targets. Hackers could be interested in financial gain, or attacks could be politically motivated or have the goal of destabilization.

Financial Transaction Dependency: Banks, casinos, and retail establishments are attractive due to the volume of transactions they handle, the high value of information processed, and the possibility of stealing funds.

The Low-Hanging Fruit: Easy Targets

While some organizations hold high value, easy targets present a simpler path to a fast payout. Script kiddies or those new to a RaaS group might hone in on easy targets because compromising their systems takes little skill and produces quick wins, similar to lake fishing. Easy targets often share common weaknesses and vulnerabilities:

Obvious Weak Security: Outdated systems, left in place because of the difficulty or reluctance to migrate to modern, secure systems, can create significant security gaps or leave organizations with vulnerabilities that attackers can easily exploit. Open-source intelligence (OSINT) or a simple vulnerability scan can help attackers identify such companies.

Low Employee Security Awareness: Organizations with limited security awareness training programs have weaker security postures, making them easier to penetrate. Those with a high percentage of non-technical staff, such as a public school, will naturally be more susceptible to phishing attacks – how 90% of all attacks start – and social engineering tactics than a hi-tech SaaS company. 

Heavy Reliance on Interconnectivity: Businesses severely dependent on remote access and interconnected networks create more expansive attack surfaces and potential entry points for malicious actors to exploit. Adding a handful of internet-facing applications, such as email servers, VPNs, and file transfer systems, also makes companies easy targets. The MOVEit breach affected more than 60 million people and organizations, making it one of the most extensive attacks of the last few years.

In the Eyes of Hacker, SMBs as Prime Targets

While large enterprises often take the spotlight in cybersecurity discussions and news headlines, statistics reveal a harsh reality: SMBs are increasingly becoming prime targets for attacks. Verizon’s 2023 DBIR report found that 43% of all cyberattacks target small businesses, and the costs associated with these attacks can be devastating, forcing 60% to shut their doors within six months.

This trend is attributed to several factors. Compared to large enterprises, SMBs typically lack the dedicated financial and human resources for comprehensive cybersecurity solutions and the time to thoroughly investigate and remediate threats. Additionally, many SMBs are chasing rapid growth, which often leads to security corners being cut – corners that can inadvertently create exploitable security gaps.

Beyond the Binary: A Spectrum of Risk

It’s important to remember that bad actors don’t always follow a rigid script. They may target a business simply because it appears easy compared to other potential targets in their sights. This highlights the importance of a layered defense strategy for every organization, regardless of size or perceived attractiveness.

Just as deep-sea fishing and lake fishing both require a certain level of skill and preparation to succeed, so too does cybersecurity. One of the most effective ways to bolster your organization’s cybersecurity posture is by implementing a Digital Forensics and Incident Response (DFIR)-backed Security Operations Center (SOC). That will provide you with continuous network activity monitoring and a team of experts who can efficiently investigate and respond to security incidents, minimizing damage and downtime. When combined, this creates a robust security system capable of defending against a wide range of cyber attacks. By adopting a multi-layered approach that combines advanced tools with robust security practices and employee awareness training, your organization can be better prepared to navigate your position in the digital waters, regardless of whether you exist in the deep seas or a shallow lake.